EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 331:

  This kind of attack will let you assume a users identity at a dynamically generated web page or site:

  A. SQL Injection

  B. Cross Site Scripting

  C. Session Hijacking

  D. Zone Transfer

  Correct Answer: B

  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

• Question 332:

  000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^......^...E. 010 05 DC 1D E4 40 00 7F 06 C2 6D 0A 00 00 02 0A 00 [email protected]...... 020 01 C9 00 50 07 75 05 D0 00 C0 04 AE 7D F5 50 10 ...P.u......}.P. 030 70 79 8F 27 00 00 48 54 54 50 2F 31 2E 31 20 32 py.'..HTTP/1.1.2 040 30 30 20 4F 4B 0D 0A 56 69 61 3A 20 31 2E 30 20 00.OK..Via:.1.0. 050 53 54 52 49 44 45 52 0D 0A 50 72 6F 78 79 2D 43 STRIDER..Proxy-C 060 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D onnection:.Keep- 070 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C Alive..Content-L 080 65 6E 67 74 68 3A 20 32 39 36 37 34 0D 0A 43 6F ength:.29674..Co 090 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntentType:.text 0A0 2F 68 74 6D 6C 0D 0A 53 65 72 76 65 72 3A 20 4D /html..Server:. 0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft 0C0 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 32 35 20 ..Date:.Sun,.25. 0D0 4A 75 6C 20 31 39 39 39 20 32 31 3A 34 35 3A 35 Jul.1999.21:45:5 0E0 31 20 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 1.GMT..Accept-Ra 0F0 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 4C 61 73 nges:.bytes..Las 100 74 2D 4D 6F 64 69 66 69 65 64 3A 20 4D 6F 6E 2C t-Modified:.Mon, 110 20 31 39 20 4A 75 6C 20 31 39 39 39 20 30 37 3A .19.Jul.1999.07:

  120 33 39 3A 32 36 20 47 4D 54 0D 0A 45 54 61 67 3A 39:26.GMT..ETag: 130 20 22 30 38 62 37 38 64 33 62 39 64 31 62 65 31 ."08b78d3b9d1be1 140 3A 61 34 61 22 0D 0A 0D 0A 3C 74 69 74 6C 65 3E :a4a"..... 180 0A 0D 0A 3C 68 31 3E 53 6E 69 66 66 69 6E 67 20 ...

  Sniffing. 190 28 6E 65 74 77 6F 72 6B 20 77 69 72 65 74 61 70 (network.wiretap 1A0 2C 20 73 6E 69 66 66 65 72 29 20 46 41 51 3C 2F ,.sniffer).FAQ....This.docu 1C0 6D 65 6E 74 20 61 6E 73 77 65 72 73 20 71 75 65 ment.answers.que 1D0 73 74 69 6F 6E 73 20 61 62 6F 75 74 20 74 61 70 stions.about.tap 1E0 70 69 6E 67 20 69 6E 74 6F 20 0D 0A 63 6F 6D 70 ping.into...comp 1F0 75 74 65 72 20 6E 65 74 77 6F 72 6B 73 20 61 6E uter.networks.an

  This packet was taken from a packet sniffer that monitors a Web server. This packet was originally 1514 bytes long, but only the first 512 bytes are shown here. This is the standard hexdump representation of a network packet, before being decoded. A hexdump has three columns: the offset of each line, the hexadecimal data, and the ASCII equivalent. This packet contains a 14-byte Ethernet header, a 20-byte IP header, a 20-byte TCP header, an HTTP header ending in two line- feeds (0D 0A 0D 0A) and then the data. By examining the packet identify the name and version of the Web server?

  A. Apache 1.2

  B. IIS 4.0

  C. IIS 5.0

  D. Linux WServer 2.3

  Correct Answer: B

  We see that the server is Microsoft, but the exam designer didn't want to make it easy for you. So what they did is blank out the IIS 4.0. The key is in line "0B0" as you see:

  0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft

  49 is I, so we get II 53 is S, so we get IIS 2F is a space 34 is 4 2E is . 30 is 0 So we get IIS 4.0

  The answer is B

  If you don't remember the ASCII hex to Character, there are enough characters and numbers already converted. For example, line "050" has STRIDER which is 53 54 52 49 44 45 52 and gives you the conversion for the "I:" and "S" characters (which is "49" and "53").

• Question 333:

  You work as security technician at ABC.com. While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which of the processes listed below would be a more efficient way of doing this type of validation?

  A. Use mget to download all pages locally for further inspection.

  B. Use wget to download all pages locally for further inspection.

  C. Use get* to download all pages locally for further inspection.

  D. Use get() to download all pages locally for further inspection.

  Correct Answer: B

  Wget is a utility used for mirroring websites, get* doesn't work, as for the actual FTP command to work there needs to be a space between get and * (ie. get *), get (); is just bogus, that's a C function that's written 100% wrong. mget is a

  command used from "within" ftp itself, ruling out A. Which leaves B use wget, which is designed for mirroring and download files, especially web pages, if used with the R option (ie. wget R www.ABC.com) it could mirror a site, all expect

  protected portions of course.

  Note: GNU Wget is a free network utility to retrieve files from the World Wide Web using HTTP and FTP and can be used to make mirrors of archives and home pages thus enabling work in the background, after having logged off.

• Question 334:

  You visit a website to retrieve the listing of a company's staff members. But you can not find it on the website. You know the listing was certainly present one year before. How can you retrieve information from the outdated website?

  A. Through Google searching cached files

  B. Through Archive.org

  C. Download the website and crawl it

  D. Visit customers' and prtners' websites

  Correct Answer: B

  Archive.org mirrors websites and categorizes them by date and month depending on the crawl time. Archive.org dates back to 1996, Google is incorrect because the cache is only as recent as the latest crawl, the cache is over-written on each subsequent crawl. Download the website is incorrect because that's the same as what you see online. Visiting customer partners websites is just bogus. The answer is then Firmly, C, archive.org

• Question 335:

  You are gathering competitive intelligence on ABC.com. You notice that they have jobs listed on a few Internet job-hunting sites. There are two job postings for network and system administrators. How can this help you in footprint the organization?

  A. The IP range used by the target network

  B. An understanding of the number of employees in the company

  C. How strong the corporate security policy is

  D. The types of operating systems and applications being used.

  Correct Answer: D

  From job posting descriptions one can see which is the set of skills, technical knowledge, system experience required, hence it is possible to argue what kind of operating systems and applications the target organization is using.

• Question 336:

  What are the three phases involved in security testing?

  A. Reconnaissance, Conduct, Report

  B. Reconnaissance, Scanning, Conclusion

  C. Preparation, Conduct, Conclusion

  D. Preparation, Conduct, Billing

  Correct Answer: C

  Preparation phase - A formal contract is executed containing non-disclosure of the client's data and legal protection for the tester. At a minimum, it also lists the IP addresses to be tested and time to test. Conduct phase - In this phase the penetration test is executed, with the tester looking for potential vulnerabilities. Conclusion phase - The results of the evaluation are communicated to the pre-defined organizational contact, and corrective action is advised.

• Question 337:

  On a default installation of Microsoft IIS web server, under which privilege does the web server software execute?

  A. Everyone

  B. Guest

  C. System

  D. Administrator

  Correct Answer: C

  If not changed during the installation, IIS will execute as Local System with way to high privileges.

• Question 338:

  Which of the following buffer overflow exploits are related to Microsoft IIS web server? (Choose three)

  A. Internet Printing Protocol (IPP) buffer overflow

  B. Code Red Worm

  C. Indexing services ISAPI extension buffer overflow

  D. NeXT buffer overflow

  Correct Answer: ABC

  Both the buffer overflow in the Internet Printing Protocol and the ISAPI extension buffer overflow is explained in Microsoft Security Bulletin MS01-023. The Code Red worm was a computer worm released on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.

• Question 339:

  Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACL's (access control lists) to files or folders and also one that can be used within batch files.

  Which of the following tools can be used for that purpose? (Choose the best answer)

  A. PERM.exe

  B. CACLS.exe

  C. CLACS.exe

  D. NTPERM.exe

  Correct Answer: B

  Cacls.exe is a Windows NT/2000/XP command-line tool you can use to assign, display, or modify ACLs (access control lists) to files or folders. Cacls is an interactive tool, and since it's a command-line utility, you can also use it in batch files.

• Question 340:

  You wish to determine the operating system and type of web server being used. At the same time you wish to arouse no suspicion within the target organization.

  While some of the methods listed below work, which holds the least risk of detection?

  A. Make some phone calls and attempt to retrieve the information using social engineering.

  B. Use nmap in paranoid mode and scan the web server.

  C. Telnet to the web server and issue commands to illicit a response.

  D. Use the netcraft web site look for the target organization's web site.

  Correct Answer: D

  Netcraft is providing research data and analysis on many aspects of the Internet. Netcraft has explored the Internet since 1995 and is a respected authority on the market share of web servers, operating systems, hosting providers, ISPs, encrypted transactions, electronic commerce, scripting languages and content technologies on the internet.